Presented by: Cassandra Cross

In 2019, Australians reported over $634 million lost to fraud, up from $489 million in 2018. This amount has continued to rise for more than a decade. Business email compromise (BEC) fraud was the highest category of financial loss for the first time, totalling $132 million, followed by investment and romance fraud at $126 million and $83 million respectively. From the outside, it is difficult to understand how so many people continue to lose such large amounts of money, given the prevalence of warnings and education campaigns. It is easy to blame victims and think that they should have known better.

This presentation examines the reality of fraud victimisation. It focuses on the techniques used by offenders to successfully persuade an individual to do something they would not ordinarily do. Offenders are argued to be highly skilled, tech savvy individuals who can easily identify a weakness or vulnerability in a person and manipulate and exploit this for their own financial advantage. Despite what we may think, no one is immune to the potential of fraud victimisation.

Drawing from my own research in this area, this presentation outlines examples of various social engineering and psychological abuse tactics used by offenders to gain compliance to their requests. In doing this, the presentation counters the negative stereotype of fraud victims, and instead highlights the complex and dynamic characteristics of fraud victimisation. Finally, the presentation concludes with what can be done in the future to strengthen individuals against fraud.

Bio:

Dr Cassandra Cross is currently a Senior Research Fellow, Cybersecurity Cooperative Research Centre (CRC), and an Associate Professor, School of Justice, Queensland University of Technology. In 2011, while working for the Queensland Police Service, she was awarded a Churchill Fellowship to examine the prevention and support of online fraud victims worldwide. Since taking up her position at QUT in 2012, she has continued her research into fraud, publishing over 60 outputs across the policing, prevention, and victim support aspects of fraud. Further, she has been awarded over AUD$1.3million in funding, largely to drive her research in this area. She is co-author (with Professor Mark Button) of the book Cyber frauds, scams and their victims published by Routledge in 2017.

Presented by: Christopher Vella

When learning vulnerability research I commonly heard how difficult 0-days are to find and exploit especially with the advent of ASLR and other mitigations. Turns out there are vulnerability types that are actually super common in software, even really common software you'd find on almost any PC in someone's home or organization (AVs, PDF viewers, etc).

In this talk I'll be walking through real examples of 0-days in common software I discovered during personal research (some patched, some still 0days), with a focus on the methodology and tooling leveraged to discover these vulnerabilities to demonstrate how some bugs are relatively simple to find. Most bugs are LPEs with the occasional RCE, all relating to third-party software on windows.

Bio:

Security Researcher @ MSFT, typically a windows vulnerability researcher (incl. Hypervisors) and low-level dev (emulators, hypervisors, etc) with newer ventures in macOS/iOS fuzzing and ARM64 dev.

Presented by: Eldar Marcussen

Proving vulnerabilities in modern web applications is significantly harder than it used to be thanks to WAFs and other protection measures. This talk will discuss and showcase several approaches to bypasses ranging from simple to advanced.

Bio:

Eldar (@Wireghoul) is a lead security researcher and penetration tester. He is a long time bug hunter with a large number of published advisories, exploits and conference presentations at leading security conferences all over the world. He was a recipient of the first CVE 10K candidate numbers.

In addition to finding vulnerabilities he contributes to and maintain several open source projects in his spare time aimed at web application security and penetration testing. These include graudit, doona, lbmap, dotdotpwn, nikto and more. His tools and research are featured in most security oriented linux distros as well as many industry leading books.\

Presented by: Iggy

CSI Miami fans will tell you that forensics is all about cool shades and mood lighting but what happens when the tools can’t tell the story?
In 2019 I was approached by some associates in a national law enforcement agency who wanted to know if I was interested in doing them a favour and having a look at a task that had the tools stumped. This presentation covers how I approached a forensic data recovery on an “old school” digital consumer device in my home lab, how the tools we rely on can fool us and how just 16 bytes of data can help catch a cold case murderer.

Bio:

Iggy stated out as a broadcasting technician baby sitting high power TV and radio transmitters on a mountain while also doing contract software development on CP/M and industrial control systems including the infamous Australian Microbee.
Before it became the norm he automated radio stations 2MG, 2PK and 2RG to allow unmanned after hours operation. He spent time as a Unix system admin, service manager of a multi-outlet Apple & IBM dealership and small IT business owner before trying his hand as a NSW cop.
Iggy is often blamed for setting up the first sanctioned NSW Police intranet server (Win NT, Apache, MySQL, PERL), acting as a technical advisor during the NSWP restructure in 2002 and writing a lot of J2EE applications which continued to haunt his former police colleagues until well after he left "the job" in 2004. He then spent an interesting period as the CIO of a diverse food and wine industry company which he fondly describes as “like being stuck in a 3 year version of the Devil Wears Prada”.
For the past 13 years Iggy has "worked for the government" in various roles related to national security, "cyber" and electronics engineering.
Iggy was proudly kicked out of school in year 8 for spending too much time wagging, time he spent reading electronics magazines and writing software for the Department of Education psychologist!
His interests include electronics, embedded systems, digital forensics, information security, radio control modelling, volunteer road crash rescue, fire fighting and anything shiny!
Iggy was also the designer of the inaugural bsides Canberra badge in 2016.
He has no formal qualifications except an electronics trade certificate but is an avid learner with 14 SANS information security and forensics courses under his belt as well as many other electronics design, manufacturing and maintenance courses.

Presented by: Jayden Rivers

Attacks on the GLibc dynamic memory allocator have been continuously evolving over the past 20 years. New mitigations include double free detection, metadata validation, and now pointer signing. The bar is always being raised. However, sometimes a mitigation can extend the complexity of a program or library. In this added complexity, new techniques or bugs can be discovered.

This talk has two major parts. The first is a high level overview of PtMalloc with a focus on the TCache. The second is a continued focus on the TCache from the perspective of an attacker attempting to bypass new mitigations. In particular, I detail the variants of a bypass which successfully overcomes Safe-Linking within the constraints set by Check Point Research's threat model.

Bio:

I'm (@Awarau1) a second year Computer Science student at the University of Sydney. While completing my studies I've also been working at InfoSect doing vulnerability research and exploit development. My main interests are vulnerability discovery through automated and manual static analysis, binary exploitation, and theory of computation.

Presented by: Josh Johnson

Whether it be in your car, vacuum cleaner, or light bulb, embedded electronic devices are playing an increasingly important role in our lives. This talk will discuss how to design electronic hardware at home, allowing the benefits of modern technology to increase our quality of life. It will provide a high level, tool agnostic overview of the hardware design process, taking the audience from concept generation through to an assembled product, discussing key steps along the way with tips to ensure success in their project.

Bio:

Josh is passionate about electronics and spends his days designing the next generation of vehicles at Ford. He utilises his spare time to work on varying projects spanning embedded systems to RF, along with educating others about the wonderful world of electronics.

Presented by: Sam

What will Western Australia export when we can’t dig anything more out of the ground? Could it be hackers? For four consecutive years, a volunteer team of pentesters, incident response specialists, software engineers, and infosec professionals from the Perth community have come together to build and run one of Australia’s largest CTFs.

WACTF0x04 was a two-day event that saw some 350 hackers around Australia pop shells and solve DFIR cases across 52 challenges. More than 300 players were W.A. locals who competed for more than $15,000 in prizes. With over 3,600 Docker containers, 1.28Thz of compute, and 300GB of RAM – the challenges we overcame as volunteers while building and scaling WACTF would put some enterprise teams to shame.

Let me show you how we do it. From development through DevOps, infrastructure through Internet. We’ll explore the challenges of building an environment designed to be hacked and takeaways applicable to conventional networks. We’ll run through our efforts to minimise the Kubernetes attack surface, the difficulties of hard multi-tenancy, and how to own clusters in the real-world (or other CTFs 😉). Lastly, we’ll share what’s instore for WACTF0x05.

Bio:

Sam (@sudosammy) is a principal penetration tester and tech lead for Trustwave (formerly Hivint) in Perth. Also a SecTalks Perth and WACTF organiser, he pronounces ‘gif’ as ‘jif’ religiously which puts significant strain on his professional and personal relationships.

Presented by: Samir Ghanem

Nagios XI and Nagios Fusion are popular IT infrastructure monitoring tools that retrieve, store, and display device health on customisable web dashboards. Since a large portion of the Nagios code base is open source, it didn’t take long to realise the PHP code was littered with bugs. So, the challenge was set to find 13 vulnerabilities before Friday. After finding 13 vulnerabilities, we used the spare time to build an attack platform that leverages the vulnerabilities to take full control of a Nagios XI / Fusion deployment. This talk will provide details of the bugs and how we chained them together to create the attack platform now known as SoyGun.

Bio:

Samir is currently a technical lead in Skylight Cyber Security, where he conducts deeply technical assessments of organisations’ cyber security posture. As part of his work, Samir engages in original security research, often resulting in newly discovered software vulnerabilities and exploitation tools.

Presented by: Sean Yeoh, Patrick Mortensen, Michael Gianarakis, Shubham Shah

Content discovery involves the exploration of files, folders and API endpoints that may be accessible on a web server. Hackers must have a good understanding of what is accessible, in order to effectively test it for security vulnerabilities. Without knowing what is accessible, security testing against servers being targeted can be incomplete and not as effective.

For the longest time, innovation in content discovery has usually been about making existing tooling faster, so larger wordlists can be used. While this has been a welcomed innovation by many people in the security industry, we believe not enough time and effort has been spent on making the actual process of content discovery more effective and hasn’t kept up with modern technologies.

Modern technologies such as Ruby on Rails, Django, Flask, Node.js and Golang typically define endpoints in a way that may explicitly require certain HTTP methods, headers, parameters and values in order to be reached. Present bruteforcing tools are not aware of this context and will fail to discover these specific API endpoints. Consequently, how much attack surface are security testers missing?

Our approach involves scanning the internet at large in order to scrape structured API documentation (JSON) allowing us to amass a large dataset (10k+ Swagger files) which facilitates context aware content discovery. By reverse engineering this large dataset of structured API documentation, the team has developed a comprehensive content discovery wordlist which provides context for each request being made (HTTP methods, headers, parameters, values).

In addition to releasing this dataset, the team will also release a specialised tool which is capable of reading our wordlist and rapidly sending these requests to any target server. We will demonstrate the effectiveness of our new context aware bruteforcing approach in direct comparison with all of the current content discovery tooling available.

If you test web application servers, our presentation will give you the tools to be more effective at content discovery against modern technologies.

Bio:

This project was a collaborative effort amongst friends, with each member of the Assetnote team working on different facets of the research. Each individual has years of experience in offensive security and bug bounties and have presented at conferences around the world including DEF CON, Black Hat Asia, 44Con, Hack In The Box, THOTCON, BSides Canberra and BSides Las Vegas.

* Sean Yeoh - Back End Wizard
* Pat Mortensen - Employee Number One
* Shubham Shah - Junior Vice President of Number Running
* Michael Gianarakis - Full Time Guitarist, Part Time CEO

Presented by: Sebastian Salla

Ever wished you could bypass spam & malware filters to guarantee delivery of your spear-phishing email?
In this talk we’ll focus on a set of extremely widespread and seemingly unknown security vulnerabilities that plague organisations across the globe. We’ll show how these vulnerabilities can be abused at-scale and how they expose what spam or malware filtering technologies are in-use, the rules, the scoring of inbound mail and ultimately if we can bypass the filters all together – all without any form of user interaction.

Bio:

I’m currently a Cloud Security Engineer with McAfee but I’ve also got a background in security operations, offensive security and risk management. I prefer a hands-on approach and strive to think with an attacker’s mind-set when working with my customers.
Outside of work, I love to work on open-source offensive security tooling and re-creating security breaches to keep up with the latest trends.